devfandomcom-20200223-history
Talk:Schema
Untitled There's a relevant comment on this type of script at MediaWiki talk:Microformat Support/code.js#Usage of scripting to implement metadata frameworks. Might be worth a look. The concept behind this script isn't to fully implement a metadata framework. The concept is more to make it so that the user can edit the metadata. I've also found a feasible way to pull it off, but due to the current edit lock, it's backlogged. Code Lyoko Wiki: User: Deadcoder 15:48, August 13, 2015 (UTC) Issue Due to the lacking security measures in the loader script someone is completely able to inject raw HTML into an article page by exploiting how the script fetches schemas. This means that someone can inject images, scripts, stylesheets, iframes, and various other elements along with their nefarious onclick, onmouseover, and onload attributes. Utilizing these things it is completely possible for someone to create an attack and easily deploy it against users. I would highly suggest that you take the time to do a security review before making requests to have your code shipped to users. I have talked with Wikia staff about this and they suggest that I bring this up with you so in order for you to observe how one can exploit the script it is necessary for me to make the exploit public knowledge. You can find the point of attack here (note: the attack vector is hidden via CSS so there is no visual notice of an attack): page You can find the exploit here: page 骑士盔甲 17:26, November 6, 2015 (UTC) :I'll try to fix this. I'm not great at dealing with injection issues, and this code was VERY rushed, so there's issues. I'll try to fix the injection vulnerability. Thoughts on a fix?Code Lyoko Wiki: User: Deadcoder 17:49, November 6, 2015 (UTC) :: To be completely honest, if you are not good with dealing with injection issues then you should not be dealing with injecting code into anything, plain and simple. Another thing, you should never rush code, especially code that could potentially put users at risk. :: I do not have any ideas on how to fix this to be honest. Looking at how it is done you should not allow transclusion from one public namespace to another. It is simply a bad idea no matter how you hash it out. :: 骑士盔甲 17:58, November 6, 2015 (UTC) :::The original version of this used MediaWiki namespaced schema code, but due to the lockdown, I had to abandon that. Also, I've written a patch: http://codelyoko.wikia.com/wiki/MediaWiki:SchemaLoader.js?oldid=112413&diff=112607. The jQuery documentation states that a parsing error will keep the "done" statement from running, so the updated version should only inject valid Json. http://api.jquery.com/jquery.getjson/. I've submitted this for review, and I'm sending an email to Wikia to update this instance of the code. Code Lyoko Wiki: User: Deadcoder 18:08, November 6, 2015 (UTC) :::: I tested your new version and it does indeed stop injection if the data is not valid JSON. :::: In the future I urge you to carefully consider the security of your scripts when handling raw data that is injected into the page. :::: 骑士盔甲 19:03, November 6, 2015 (UTC)